EDNS Compliance Issues

Need help? Ask here.

Moderator: Moderators

Post Reply
candrews
Posts: 40
Joined: Thu Jul 24, 2008 11:50 am
Contact:

EDNS Compliance Issues

Post by candrews »

The rollernet DNS servers are giving incorrect behavior as reported by the ISC EDNS tester. Here are the results for my rollernet DNS hosted domain:
https://ednscomp.isc.org/ednscomp/b1b6b0691a

I'm concerned that this issue will be particularly problematic following the February 1, 2019 DNS Flag Day: https://dnsflagday.net/

Thanks again!
sandrews
Posts: 7
Joined: Fri May 12, 2006 7:37 pm
Location: Surfers Paradise
Contact:

Re: EDNS Compliance Issues

Post by sandrews »

I received a notification from my registrant last week (to upsell their DNS) and upon checking found the same as @candrews (no relation)!

All of my Rolletnet domains have the same non-compliance e.g. https://ednscomp.isc.org/ednscomp/0c2ccf16d4
though of the domains I migrated for a client to Dreamhost also has EDNS failures.

My ISP doesn't, nor does Google.
Seth
Site Admin
Posts: 309
Joined: Sun Aug 30, 2009 10:44 pm
Location: Nevada
Contact:

Re: EDNS Compliance Issues

Post by Seth »

Our servers do support EDNS properly (no firewall inspection, no TCP blocking), but appear to fail the ednscomp test because of how it performs the tests.

The bug is noted here:
https://github.com/PowerDNS/pdns/issues/6806
Seth Mattinen, Roller Network LLC
Seth
Site Admin
Posts: 309
Joined: Sun Aug 30, 2009 10:44 pm
Location: Nevada
Contact:

Re: EDNS Compliance Issues

Post by Seth »

We do of course plan to continue upgrading PowerDNS, but we are doing so in incremental steps without making large version jumps because we need to make sure DNSSEC enabled zones don't break in the process. It's more critical to us to continue serving zones uninterrupted. When we perform an upgrade we let it bake for a while before looking at the next one. Because we decided to release DNSSEC support in Primary DNS before there was an API available, we had to resort to command line parsing to perform the DNSSEC functions used in the ACC. Making large jumps will break this, and we don't want to have to tell people the workaround is to turn off DNSSEC when we want to encourage DNSSEC to be used.

The problems that DNS Flag Day seeks to address are very old DNS implementations out there that don't support EDNS at all, or have TCP port 53 blocked, or have a firewall "inspecting" and altering DNS packets. These are the ones that will likely stop working when resolvers remove workarounds.

One thing you can do is run http://dnsviz.net against a zone with DNSSEC enabled and see that EDNS does indeed work when handling real queries that need EDNS or possibly TCP transport.
Seth Mattinen, Roller Network LLC
Post Reply